API Keys
API keys authenticate server-to-server access to the Anchor CRM API. Keys belong to your organization, carry explicit scopes, and can be rotated or revoked at any time.
Key format
- Keys look like
anch_followed by 64 hex characters (32 random bytes). - Keys are sent as a Bearer token:
Authorization: Bearer anch_... - Only a hash and a short prefix are stored server-side — the full key is shown once at creation and cannot be retrieved later.
Creating and managing keys
Keys are managed at Settings → API Keys (/settings/api-keys). Creating and revoking keys requires an admin role; managers can view the key list.
When creating a key you can set:
- Name — identify the integration the key is for.
- Scopes — what the key may do; see Scopes.
- Expiry — optional
expiresInDays; expired keys are rejected automatically. - IP allowlist — optional list of allowed source IPs for the key.
Rotation and revocation
Rotate a key from the same settings page (or POST /api/api-keys/{id} with session auth): a new secret is issued and the old one stops working. Revocation is immediate. Rotate on a schedule, and immediately if you suspect a key has leaked.
Storage guidance
- Store keys in a secret manager or environment variables — never in source control, client-side code, or logs.
- Use one key per integration so a leak can be revoked without breaking everything else.
- Scope each key to the minimum it needs; avoid
*keys for third-party integrations.